GHSA-C38F-WX89-P2XG
Vulnerability from github – Published: 2026-05-12 22:25 – Updated: 2026-05-12 22:25Summary
When ujson.dump() writes to a file-like object and the write operation raises an exception, the serialized JSON string object is not decremented, leaking memory. Each failed write operation leaks the full size of the serialized payload.
Code that uses ujson.dumps() rather than ujson.dump() or only JSON load/decode methods is unaffected.
Details
Vulnerability Location:
- src/ujson/python/objToJSON.c:913 - objToJSONFile() function start
- src/ujson/python/objToJSON.c:931 - Error return on write failure
- src/ujson/python/objToJSON.c:942 - Early return without cleanup
Root Cause:
The objToJSONFile() function allocates a Python string object via ujson_dumps_internal(), calls the file's write() method, and returns early if write() raises an exception—but never calls Py_DECREF(string) on the early exit path.
PoC
import gc, tracemalloc, ujson
class BadFile:
def write(self, s):
raise RuntimeError("boom")
obj = {"x": "A" * 200000}
def run():
try:
ujson.dump(obj, BadFile())
except RuntimeError:
pass
run()
tracemalloc.start()
gc.collect()
base = tracemalloc.get_traced_memory()[0]
for i in range(5):
run()
gc.collect()
cur = tracemalloc.get_traced_memory()[0]
print(i, cur - base)
Impact
Any application that serializes data through ujson.dump() to an attacker-influenced file-like object that can fail can be driven into linear memory growth. An attacker can quickly use up all the memory of say a web server that sends JSON responses using ujson.dump() by repeatedly making requests then closing the connection mid response.
Remediation
The missing dec-refs were added in 82af1d0ac01d09aa40c887b460d44b9d9f4bccd9. We recommend upgrading to UltraJSON 5.12.1.
Workarounds
Replacing ujson.dump(obj, file) with file.write(ujson.dumps(obj)) is equivalent (contrary to popular misconception, there are no streaming benefits to using ujson.dump()) and will avoid the memory leak.
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 5.12.0"
},
"package": {
"ecosystem": "PyPI",
"name": "ujson"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "5.12.1"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-44660"
],
"database_specific": {
"cwe_ids": [
"CWE-401"
],
"github_reviewed": true,
"github_reviewed_at": "2026-05-12T22:25:11Z",
"nvd_published_at": null,
"severity": "HIGH"
},
"details": "### Summary\n\nWhen `ujson.dump()` writes to a file-like object and the write operation raises an exception, the serialized JSON string object is not decremented, leaking memory. Each failed write operation leaks the full size of the serialized payload.\n\nCode that uses `ujson.dumps()` rather than `ujson.dump()` or only JSON load/decode methods is unaffected.\n\n### Details\n\n**Vulnerability Location:**\n- `src/ujson/python/objToJSON.c:913` - `objToJSONFile()` function start\n- `src/ujson/python/objToJSON.c:931` - Error return on write failure\n- `src/ujson/python/objToJSON.c:942` - Early return without cleanup\n \n**Root Cause:**\n\nThe `objToJSONFile()` function allocates a Python string object via `ujson_dumps_internal()`, calls the file\u0027s `write()` method, and returns early if `write()` raises an exception\u2014but never calls `Py_DECREF(string)` on the early exit path.\n\n### PoC\n```python\nimport gc, tracemalloc, ujson\n\nclass BadFile:\n def write(self, s):\n raise RuntimeError(\"boom\")\n\nobj = {\"x\": \"A\" * 200000}\n\ndef run():\n try:\n ujson.dump(obj, BadFile())\n except RuntimeError:\n pass\n\nrun()\ntracemalloc.start()\ngc.collect()\nbase = tracemalloc.get_traced_memory()[0]\n\nfor i in range(5):\n run()\n gc.collect()\n cur = tracemalloc.get_traced_memory()[0]\n print(i, cur - base)\n```\n\n### Impact\n\nAny application that serializes data through `ujson.dump()` to an attacker-influenced file-like object that can fail can be driven into linear memory growth. An attacker can quickly use up all the memory of say a web server that sends JSON responses using `ujson.dump()` by repeatedly making requests then closing the connection mid response.\n\n### Remediation\n\nThe missing dec-refs were added in 82af1d0ac01d09aa40c887b460d44b9d9f4bccd9. We recommend upgrading to [UltraJSON 5.12.1](https://github.com/ultrajson/ultrajson/releases/tag/5.12.1).\n\n### Workarounds\n\nReplacing `ujson.dump(obj, file)` with `file.write(ujson.dumps(obj))` is equivalent (contrary to popular misconception, there are no streaming benefits to using `ujson.dump()`) and will avoid the memory leak.",
"id": "GHSA-c38f-wx89-p2xg",
"modified": "2026-05-12T22:25:11Z",
"published": "2026-05-12T22:25:11Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/ultrajson/ultrajson/security/advisories/GHSA-c38f-wx89-p2xg"
},
{
"type": "WEB",
"url": "https://github.com/ultrajson/ultrajson/commit/82af1d0ac01d09aa40c887b460d44b9d9f4bccd9"
},
{
"type": "PACKAGE",
"url": "https://github.com/ultrajson/ultrajson"
},
{
"type": "WEB",
"url": "https://github.com/ultrajson/ultrajson/releases/tag/5.12.1"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N",
"type": "CVSS_V4"
}
],
"summary": "UltraJSON has a Memory Leak in ujson.dump() on Write Failure"
}
Sightings
| Author | Source | Type | Date | Other |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.